from the selling-out-your-privacy dept

This is hardly a surprise since Speaker Paul Ryan put his (weak, privacy destroying) version of CISA into the "must pass" omnibus funding bill, retitled as the Cybersecurity Act of 2015, but the bill was easily passed by Congress this morning, 316 to 113. Frankly, 113 votes against was much higher than I expected. Below are the votes:

from the this-is-a-problem dept

In the past, President Obama has threatened to veto any cybersecurity bill that undermines privacy and civil liberties. Of course, people didn't quite believe that was true, and now that we see the final cybersecurity bill, the bastardized CISA has been attached to the "must pass" omnibus spending bill, and clearly is a disaster on privacy issues, what do you think the White House is saying?

"We are pleased that the Omnibus includes cybersecurity information sharing legislation," a senior administration official said in an emailed statement. "The President has long called on Congress to pass cybersecurity information sharing legislation that will help the private sector and government share more cyber threat information by providing for targeted liability protections while carefully safeguarding privacy, confidentiality, and civil liberties."

from the up-is-down,-black-is-white,-day-is-night dept

Representative Adam Schiff, the ranking member of the House Intelligence Committee (the Committee that has most strongly been pushing versions of cybersecurity bills that undermine privacy and provide more surveillance powers) apparently believes that as long as he says day is night and up is down, the world will believe him. In response to Speaker Paul Ryan's decision to shove CISA into the omnibus funding bill, Schiff insisted that this was necessary to protect our privacy:

“This is the most protective of privacy of any cyber bill that we have advanced and we need to keep in mind the overriding interest all Americans have in protecting their privacy from these innumerable hacks,” Intelligence Committee ranking member Adam Schiff (D-Calif.), a cosponsor of his panel’s cyber bill, told The Hill. “Our privacy is being violated every day. And the longer we delay on measures like this, the more we subject ourselves to those kind of intrusions into our privacy.”

Nearly everything Schiff says here is complete hogwash. This bill is far from "the most protective of privacy of any cyber bill" that has advanced. Other versions clearly had more privacy protections (mainly the one advanced by the House Judiciary Committee). And, this latest one clearly strips out privacy provisions and makes it that much more difficult to protect our privacy.

And the fearmongering about "these innumerable hacks" and how "our privacy is being violated every day" is totally meaningless, because CISA does nothing to stop these hacks. We've asked many times before how would CISA have stopped a single hack and no one ever answers. We've looked hard and cannot find a single online security expert who thinks that CISA would be useful in preventing online hacks and attacks. Because it wouldn't. There is nothing in there geared towards stopping attacks.

You know what would help in protecting our privacy and limiting the damage from hacks? Stronger encryption. I wonder what Rep. Adam Schiff thinks about that?

"While it remains too early to tell the role encrypted communications may have played in the devastating terrorist attacks in Paris, we do know that ISIS regularly instructs its operatives to use encrypted platforms precisely to help evade detection. These platforms are made overseas as well as in the U.S., and there are significant security, technological, economic and privacy issues involved in addressing the challenge posed to the intelligence community and law enforcement by encryption.

"That is why Chairman Nunes and I – months before these horrific attacks – requested that the National Academy of Sciences, an organization that two decades ago studied this very issue, produce an updated report that can help us to identify and design effective, technologically feasible and economically viable solutions to the increasingly dangerous problem known as 'going dark.' I am pleased that the Academy is proceeding with such a study, which will help inform policymakers and the public alike.

Yup.

If Rep. Schiff was truly worried about hacks and keeping Americans' data secure, he'd be supporting strong encryption. Instead, he's looking to undermine it, while at the same time supporting a separate bill which, under the false pretense of protecting us from cybersecurity attacks, actually undermines our privacy even further.

So here's a challenge to Rep. Adam Schiff: Can you find a single recognized cybersecurity expert who thinks that the way to protect against hacks is (1) found in this Cybersecurity Act and (2) involves figuring out ways to stop encryption from letting people "go dark"? If not, perhaps you should stop saying these things and stop legislating about it.

from the it's-a-mess dept

We warned earlier this week that Congress was going to make the cybersecurity bill CISA much worse on privacy, and then shove it into the "must pass" omnibus spending bill, and that's exactly what happened. The 2000+ page bill was only released early yesterday morning and the vote on it is tomorrow, meaning people have been scrambling to figure out what exactly is actually in there. The intelligence community has been using that confusion to push the bill, highlighting a couple of the predictions that didn't make it into the bill to argue that people against CISA are overstating the problems of the bill. That's pretty low, even for the intelligence community.

Stanford's Jennifer Granick has gone through this new zombie CISA, which has technically been renamed "the Cybersecurity Act of 2015," but which she's calling OmniCISA and discovered that it's a complete disaster on the privacy front, basically wiping out any ability by the FCC or the FTC to make service providers respect user privacy, and instead, is designed to encourage more monitoring of user behavior, weakening their privacy. As she notes, after the FCC's net neutrality rules, there was some concern about a turf war between the FCC and the FTC on who protects consumer privacy rights with regards to internet access providers. To stop people from freaking out over this, the two agencies told people to calm down, because they're happy to work together to protect privacy, with the FCC handling issues related to privacy as a common carrier, and the FTC handling everything else.

But, as Granick points out, under CISA, so long as ISPs claim that they're spying on your internet activity for "cybersecurity" purposes (which is defined ridiculously broadly in the bill), then the FCC and FTC are completely blocked from doing anything:

This language means that, regardless of what rules the FCC or FTC have now or will have in the future, private companies including ISPs can monitor their systems and access information that flows over those systems for “cybersecurity purposes.”

[....]

It appears that OmniCISA is trying to stake out a category of ISP monitoring that the FCC and FTC can’t touch, regardless of its privacy impact on Americans.

This section of OmniCISA would not only interfere with future privacy regulations, it limits the few privacy rules we currently have.

The Wiretap Act is a provision of law that conditions the ability of telephone companies and Internet Service Providers to monitor the private messages that flow over their networks. The Wiretap Act says that these wire and electronic communications service providers can “intercept, disclose, or use that communication in the normal course of … employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service” (emphasis added). Similarly, ECPA allows providers to access stored information, and then to voluntarily share it for the same reasons. This language allows providers to conduct some monitoring of their systems for security purposes — to keep the system up and running and to protect the provider.

But it appears OmniCISA would waive these provisions of the Wiretap Act and ECPA. Why do that except to expand that ability to monitor for broader “cybersecurity purposes” beyond the legal ability providers already have to intercept communications in order to protect service, rights, or property?

So this bill isn’t just about threat information sharing, it’s about enabling ISP monitoring in ways beyond current law that have not been clearly defined or explained.

And, of course, if you don't think this will be abused both by the internet access providers and the law enforcement/intelligence communities, you haven't been paying attention for the past decade or more.

from the but-of-course dept

Yesterday we warned that Congress was quietly looking to do two horrible things: (1) strip all pretense from the "cybersecurity" information sharing bills and turn them into full-on surveillance bills and (2) then shove it into the "must pass" omnibus bill which is supposed to be about funding the government and nothing more. And... it looks like our warning was almost entirely accurate, as the bill has been released and within its over 2000 pages, it includes CISA and has been stripped of many of the key privacy protections (if you want to find it, it's buried on page 1728), while expanding how the information can be shared and used. In part, due to concerns raised yesterday, a few of the absolutely worst ideas didn't make it into the final bill, but it's still bad (and clearly worse than what had previously been voted on, which was already bad!).

The bill is due for a vote tomorrow and so right now would be the time to call your elected officials and let them know that this is a serious problem. The EFF has spoken out about how problematic this is, as have a group of free market think tanks.

There is some opposition within Congress to this. We've seen a "Dear Colleague" letter sent around by a set of four members of Congress (two from each party) -- Reps. Zoe Lofgren, Justin Amash, Jared Polis and Ted Poe -- opposing this move, but chances are that most members of Congress actually have no idea that this is happening, which is why you should be calling today to let them know how problematic this is.

The House Intelligence Community counters that the claims being made against CISA are inaccurate, but they're being incredibly misleading. While the reports yesterday indicated that the bill would directly allow its use in "surveillance," the list of approved uses was changed slightly to effectively hide this fact. Specifically it says that the information via CISA can be used to investigate a variety of crimes -- and doesn't say "surveillance." But, obviously, surveillance isn't a "crime" that the government will be investigating. It's just the method that the government will use to investigate crimes... which is now allowed under CISA. In earlier versions, the information was only to be used for "cybersecurity." But now that list has been expanded to cover a wide variety of crimes: "a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction."

And how are those things going to be stopped? By ramping up surveillance, of course.

Also, yesterday we noted that the proposed change would "remove" the privacy scrub requirements. The final bill didn't completely do that, but basically changed the standard to pretend that it's in there. Rather than demanding a full privacy scrub, the bill lets the Attorney General determine if DHS is doing a reasonable job with its privacy scrub. The same Attorney General who will now be using this same information to investigate all sorts of "criminal" activity. Guess what incentive the Attorney General has to make sure that privacy scrub is legit?

Finally, the revised bill tries to hide the fact that the NSA will get access to this data with some super crafty language. Section 105(c) of the bill notes that the President can designate any other agency to set up a portal to receive information, but explicitly says that cannot be the Defense Department or the NSA. That sounds good, but is there as a total red herring. This is only about who runs the portal, not about who gets the information. So, DHS can still share the info with others and the President could still designate, say, the FBI to get a portal... or the Director of National Intelligence (which oversees the NSA). However, CISA's supporters are pointing to this sections as "proof" that it won't be used by the NSA.

Considering how much debate and concern there was over this bill, and the fact that basically all the major companies in Silicon Valley have come out against it -- and I still can't find a single computer security expert who thinks that this is needed for increasing our security, it's pretty obvious that this is not a cybersecurity bill. It's a surveillance bill that has no business being added to the omnibus bill.

from the even-worse-than-before dept

Remember CISA? The "Cybersecurity Information Sharing Act"? It's getting much, much worse, with Congress and the administration looking to ram it through -- in the process, dropping any pretense that it's not a surveillance bill.

As you may recall, Congress and the White House have been pushing for a "cybersecurity" bill, for a few years now, that has never actually been a cybersecurity bill. Senator Ron Wyden was one of the only people in Congress willing to stand up and directly say what it was: "it's a surveillance bill by another name." And, by now, you should know that when Senator Wyden says that there's a secret interpretation of a bill that will increase surveillance and is at odds with the public's understanding of a bill, you should to listen. He's said so in the past and has been right... multiple times.

Either way, a version of CISA passed the House a while back, with at least some elements of privacy protection included. Then, a few months ago it passed the Senate in a much weaker state. The two different versions need to be reconciled, and it's been worked on. However, as we noted recently, the intelligence community has basically taken over the process and more or less stripped out what few privacy protections there were.

And the latest is that it's getting worse. Not only is Congress looking to include it in the end of year omnibus bill -- basically a "must pass" bill -- to make sure it gets passed, but it's clearly dropping all pretense that CISA isn't about surveillance. Here's what we're hearing from people involved in the latest negotiations. The latest version of CISA that they're looking to put into the omnibus:

Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS. While DHS isn't necessarily wonderful, it's a lot better than NSA. And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA.

Directly removes the restrictions on using this information for "surveillance" activities. You can't get much more direct than that, right?

Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well. Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused. We've just seen how the DEA has regularly abused its powers to collect info. You think agencies like the DEA and others won't make use of CISA too?

Removes the requirement to "scrub" personal information unrelated to a cybersecurity threat before sharing that information. This was the key point that everyone kept making about why the information should go to DHS first -- where DHS would be in charge of this "scrub". The "scrub" process was a bit exaggerated in the first place, but it was at least something of a privacy protection. However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the "discretion" of whichever agency gets the information. Guess how that's going to go?

In short: while before Congress could at least pretend that CISA was about cybersecurity, rather than surveillance, in this mad dash to get it shoved through, they've dropped all pretense and have stripped every last privacy protection, expanded the scope of the bill, and made it quite clear that it's a very broad surveillance bill that can be widely used and abused by all parts of the government.

There is still some hesitation by some as to whether or not this bill belongs in the omnibus bill, or if it should go through the regular process, with a debate and a full vote on this entirely new and different version of CISA. So, now would be a good time to speak out, letting your elected officials and the White House know that (1) CISA should not be in the omnibus and (2) that we don't need another surveillance bill.

In the meantime, if Congress were actually serious about cybersecurity, they'd be ramping up the acceptance and use of encryption, rather than trying to undermine it.

from the surprise-surprise dept

Back in October, the Senate voted overwhelmingly to approve CISA, the Cybersecurity Information Sharing Act, which has nothing to with cybersecurity at all, and is almost entirely a surveillance bill in disguise. Want to know the proof: many of the most vocal supporters of CISA, who talked up how important "cybersecurity" is these days are the very same people now looking to undermine encryption.

And it now appears the final language is unlikely to include notable privacy provisions that digital rights and civil liberties groups insist are necessary to reduce the odds the bill enables greater government surveillance.

Basically, it looks like Congressional leadership decided to pull the worst parts from the various bills and mash them together into a super bill of pure terribleness. Not only will it favor the Senate bill, over the House's, but it will also pull ideas from the competing bill that was put forth by the House Intelligence Committee, rather than the one put forth by the Homeland Security Committee.

That, alone, should be rather telling. For all the talk about how this is about "security" and not at all about helping the intelligence community, why is it that the Intelligence Committee's bill whose language is surviving, while the Homeland Security Committee's language is being deleted?

from the which-side-is-she-on? dept

Look, everyone has known for quite some time that Senator Dianne Feinstein's big push for so-called "cybersecurity" legislation in the form of CISA had absolutely nothing to do with cybersecurity. It was always about giving another surveillance tool to her friends at the NSA. However, given that she was one of the most vocal in selling it as a "cybersecurity" bill (despite the fact that no cybersecurity experts actually thought the bill would help) it seems worth comparing her statements from just a month ago, with her new attacks on actual cybersecurity in the form of encryption.

"Millions of personal records and hundreds of billions of dollars fall victim to cyber-attacks every year, and we’ve done little to stem the tide."

Of course, CISA does nothing to protect any of that. You know what does protect against that -- better use of encryption to keep that information from getting hacked in any useful manner.

Okay, fast forward. Following the Paris attacks, Feinstein has been among the most vocal in claiming that we need to undermine encryption, which is pretty amazing given that she represents California (and is from San Francisco), home to tons of tech companies that actually get this and think she's completely crazy for undermining actual cybersecurity.

Never mind that, though. Here she is this past weekend, on CBS's Face the Nation totally attacking encryption itself and mocking the tech companies that just a month ago she was insisting needed special government help to protect against cyberattacks. She was asked if the intelligence community has the tools it needs, and she decides to attack encryption -- even choosing to cite as a source CIA director John Brennan -- the same John Brennan who illegally spied on her staffers and then lied about it repeatedly.

"I can say this. [FBI] Director [James Comey] and, I think John Brennan, would agree, that the Achilles Heel in the internet is encryption. Because there are now... it's a black web! And there's no way of piercing it. And this is even in commercial products! PlayStation, John! Which our kids use. If the two ends communicate, that's encrypted. So terrorists can use PlayStation to be able to communication and there's nothing that can be done about it."

The host, John Dickerson, then points out that the tech industry (again, mostly based in or near Feinstein's hometown, and that she's supposed to be representing) says that backdooring encryption makes us less safe and opens us up to more attack, and Feinstein brushes it off, relying on her apparent years of computer security training...

No. I don't think so. I think with a court order, with good justification, all of that can be prevented. It can be prevented in Europe, because Europe has been a major driver for more encryption. And I think that they are now seeing the results. I have visited with all of the General Counsels of the tech companies, just to try to get them to take bomb building recipes off the internet. Recipes that have been tested and we know can explode a plane. Directions. Where to sit on the plane to blow it up. We know that there are bombs that can go through magnetometers. And to put that information out on the internet, is terrible. And I sorta got 'well, pass a law.' So, we may just have to do that. But I am hopeful that the companies, most of whom are my constituents -- not most, but many -- will understand what we're facing. And we're not crying wolf. There's good reason for this. And people are dying all over the world. And I think the Sinai-Russian airliner is a classic example of a bomb that got on a plane, that blew up that plane.

Where to start with this nonsense? First, note that she doesn't actually respond to the question concerning how undermining encryption will make us all less safe and make all that information Feinstein herself claimed was under attack just a month ago more vulnerable, other than to say that she, personally, doesn't think that what every computer security expert has been saying is true. Yikes.

Second, rather than focus on encryption, she pivots to her other pet projects, claiming that the government should force internet companies to censor The Anarchist's Cookbook. She keeps on this despite the fact that all the way back in 1997, the DOJ directly told Feinstein that this would violate the First Amendment. From the DOJ to Feinstein:

The First Amendment would impose substantial constraints on any attempt to proscribe indiscriminately the dissemination of bombmaking information. The government generally may not, except in rare circumstances, punish persons either for advocating lawless action or for disseminating truthful information -- including information that would be dangerous if used -- that such persons have obtained lawfully.

Third, this weird infatuation with The Anarchist's Cookbook, despite the fact that it's generally recognized as a joke for fools, where the likelihood of being able to build an actual bomb from it are minimal at best. And, while she pretends that the GCs of tech companies just sort of shrugged their shoulders about this, it's much more likely that it's because they thought she was being ridiculous trying to censor the internet in violation of the First Amendment. Whoever told her "well, pass a law" was almost certainly trying to get rid of her, knowing that any such law would be unconstitutional.

Fourth, this tangent about "bomb making instructions" online still has absolutely nothing to do with encryption or the question about how encryption makes us all much more vulnerable to attack and actually makes us all less safe.

Fifth, the comment about Europe is insane. Again, while the attackers may have used some encryption, it's been revealed (since long before Feinstein did this interview) that they did an awful lot of communicating in the clear, including unencrypted SMS and Facebook messenger. On top of that, what the hell does "Europe has been a major driver for more encryption" even mean? Perhaps it's true that they've been adopting more encryption to hide from the NSA's spying that Feinstein herself helped hide from everyone.

Sixth: the whole PlayStation thing has been debunked as a way that the Paris attackers communicated. They did not. Furthermore, she's just wrong that the PlayStation has end-to-end encryption. It does not.

Seventh, does she honestly believe that whoever blew up that Russian airplane downloaded bomb-making instructions from the internet? Also, if it were really so easy to get such instructions and get them through security, don't you think we'd have seen a lot more airplanes blown up by now?

In summary, Feinstein (a month ago) said we should all be deathly afraid of cyberattacks, and the only way to solve it was to give the government much greater access to companies' computer systems, via CISA. And, now, she insists that encryption is an "Achilles's heel" and that actual cybersecurity experts are lying when they say undermining encryption will put everyone at risk. Why? Because The Anarchist's Cookbook is online and Google won't take it down.

Is it really so much to ask for politicians to actually understand technology before they go off on ridiculous, ignorant, uninformed rants about it -- often leading to even more ridiculous and dangerous legislation?

from the fudmongering dept

Famous TV news talking head Ted Koppel recently came out with a new book called Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath. The premise, as you may have guessed, is that we're facing a huge risk that "cyberattackers" are going to take down the electric grid, and will be able to take it down for many weeks or months, and the US government isn't remotely prepared for it. Here's how Amazon describes the book:

Investigative reporting that reads like fiction - or maybe I just wish it was fiction. In Lights Out, Ted Koppel flashes his journalism chops to introduce us to a frightening scenario, where hackers have tapped into and destroyed the United States power grids, leaving Americans crippled. Koppel outlines the many ways our government and response teams are far from prepared for an un-natural disaster that won't just last days or weeks - but months - and also shows us how a growing number of individuals have taken it upon themselves to prepare. Whether you pick up this book to escape into a good story, or for a potentially potent look into the future, you will not be disappointed.

The book also has quotes ("blurbs" as they're called) from lots of famous people -- nearly all of whom are also famous TV news talking heads or DC insiders who have a long history of hyping up "cyber" threats. But what's not on the list? Anyone with any actual knowledge or experience in actual computer security, especially as it pertains to electric grids.

Want to know how useful the book actually is? All you really need to read is the following question and answer from an interview Koppel did with CSO Online:

Did you interview penetration testers who have experience in the electric generation/transmission sector for this book?

No, I did not.

Also in that interview, Koppel admits that he hasn't heard anything from actual information security professionals (though he admits he may have missed it since he's been on the book tour). But, still, if you're writing an entire book with a premise based entirely on information security practices, you'd think that this would be the kind of thing you'd do before you write the book, rather than after it's been published. Instead, it appears that Koppel just spoke to DC insiders who have a rather long history of totally overhyping "cyberthreats" -- often for their own profits. In another interview, Koppel insists that he didn't want to be spreading rumors -- but doesn't explain why he didn't actually speak to any technical experts.

“Going in, what I really wanted to do was make sure I wasn’t just spreading nasty rumors,” said Koppel in a phone interview.... “After talking to all these people, I satisfied my own curiosity that this not just a likelihood but almost inevitable.”

"All these people"... who apparently did not include any computer security experts. Koppel claims that this isn't a priority because Homeland Security doesn't want to "worry" the American public:

“The public would have to understand it’s a plan that will work but if you don’t have a plan, that can be more worrisome. I just hope it becomes part of the national conversation during the presidential campaign.”

What?!? Homeland Security doesn't want to worry the American public? Which Homeland Security is he talking about? The one that manhandles the American public every time they go to an airport? The same one that is constantly fearmongering about "cyber attacks" and "cyber Pearl Harbor"? Is Koppel living in some sort of alternative universe?

Is there a chance that hackers could take down electric grids and it would cause serious problems? Sure. Anything's possible, but somehow we've gotten along without a single incident ever of hackers taking down any part of the electrical grid to date. And most actual information security professionals don't seem to think it is a "likely" scenario as Koppel claims. The whole thing seems to fit into the usual category of cyberFUD from political insiders who are salivating over the ability to make tons and tons of money by peddling fear.

Is it important to protect infrastructure like the electric grids? Yes. Should we be aware of actual threats? Absolutely. But overhyping the actual threat doesn't help anyone and just spreads fear... and that fear is quickly lapped up by people who will use it to profit for themselves.

Up until now, the NSA really hasn't discussed its policies regarding software vulnerabilities and exploits. A few months after the Snowden leaks began, the White House told the NSA to start informing software companies of any exploits/vulnerabilities it had discovered. The quasi-directive set no time limit for doing so and allowed the agency to withhold discovered exploits if there was a "clear national security or law enforcement" reason to do so.

While other parties have discussed the NSA's hoarding of software exploits, the agency itself hasn't. All information gathered to date has come from outside sources. Snowden provided some of the documents. The EFF knocked a couple more loose with an FOIA lawsuit against James Clapper's office.

The U.S. National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving U.S. companies open to cyber attacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.

Disclosing nine out of ten exploits sounds good, but these disclosures are likely only occurring after the vulnerability or exploit is no longer useful.

The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.

Status remains quo. National security interests still override the security interest of millions of affected users. The NSA can't keep criminals from using the same security holes it's discovered. The only way to prevent a vulnerability from being exploited by malicious parties or unfriendly state actors is to disclose it. Eventual disclosure is better than no disclosure, but it's not nearly as altruistic as the NSA's 90% disclosure rate would make it appear.